edpb[= 


European Data Protection Board 





EDPB Work Programme 2021/2022 


The European Data Protection Board 


The European Data Protection Board (EDPB) is an independent European body established by the 
General Data Protection Regulation (GDPR). 
The EDPB has the following main tasks: 


FQ To issue opinions, guidelines, recommendations and best practices to promote a common 
5 understanding of the GDPR and the Law Enforcement Directive (LED); 


© To advise the European Commission on any issue related to the protection of personal data 
A in the Union; 


To contribute to the consistent application of the GDPR, in particular in cross-border data 
protection cases; and 


& To promote cooperation and the effective exchange of information and best practices 
between national supervisory authorities. 


In line with the Article 29 of the EDPB Rules of procedure, the EDPB has developed its two-year work 
programme for 2021 and 2022, based on the EDPB Strategy 2021-2023 and the needs identified by 
the members as priority for stakeholders. 


Pillar | - Advancing harmonisation and facilitating 
compliance 


e Further guidance on key notions of EU data protection law, developed also taking into 
account practical experience of stakeholders, gathered through stakeholder events and 
consultations 


Guidelines on controller and processor*? 
Guidelines on Article 23 GDPR* 

Guidelines on the targeting of social media users* 
Guidelines on data subject rights 

Guidelines on legitimate interest 


Guidelines on processing of personal data for medical and scientific 
research purposes 


Guidelines on children’s data 
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Guidance on remuneration against personal data 





e Consistency activities: The EDPB will continue to take actions directly addressed to national 
supervisory authorities and which aim to ensure consistency of their decisions in a number 
of areas (e.g. evaluation of codes of conduct, certification schemes and criteria, binding 
corporate rules, creation of standard contractual clauses, lists of risky processing activities 
to be subject to a data protection impact assessment,...) in accordance with Article 64(1) 
and (2) GDPR. In addition, the EDPB will continue to act as a dispute resolution body in 
case of dispute between EEA supervisory authorities (Article 65(1) GDPR binding decisions; 
decisions/opinions in the context of an urgency procedure under Article 66 GDPR). 


e Development and implementation of compliance mechanisms for controllers and processors 
(e.g. Guidelines on assessment of certification criteria) 


e Advising the EU legislator on any important issue related to the protection of personal data 
in the Union (e.g. Data Governance Act, ePrivacy, Anti-Money Laundering legislation, etc.)?, 
and intensifying engagement and cooperation with other regulators and policymakers 


e Development of awareness-raising common tools on the GDPR for a wider audience (e.g., 
tools specifically tailored for non-expert professionals, such as SMEs and data subjects) 


* The items accompanied by an asterisk (*) have already been adopted in their first version, but are to be finalised after public consultation. 
2 Either on the EDPB’s own initiative or upon request, for instance from the European Commission. For EDPB opinions on adequacy decisions, see Pillar 
IV below. 


Pillar Il - Supporting effective enforcement and efficient 
cooperation between national supervisory authorities 


e Encouraging and facilitating the use of the full range of cooperation tools enshrined 
in Chapter VII of the GDPR and Chapter VII of the LED and continuously evaluating and 
improving the efficiency and effectiveness of these tools, as well as further promoting a 
common application of key concepts in the cooperation procedure 


Guidance on Art. 60 GDPR — One-stop-shop 
Guidance on Art. 61 GDPR — Mutual assistance 
Guidelines on Article 65 GDPR 


Guidelines on the calculation of administrative fines 


Assessment ofthe practical implementation ofthe amicable settlement 
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e Implementation of the Coordinated Enforcement Framework (CEF); to carry out annual 
coordinated actions on pre-defined topics to allow SAs to pursue joint actions in a flexible 
but coordinated manner, ranging from joint awareness raising and information gathering to 
enforcement sweeps and joint investigations. 


e Implementation of the Support Pool of Experts (SPE)*: the EDPB will launch the SPE pilot 
project to provide material support to EDPB Members in the form of expertise that is useful 
for investigations and enforcement activities, and to enhance cooperation and solidarity 
between EDPB Members by sharing, reinforcing and complementing strengths and 
addressing operational needs. 


3 EDPB Document on Coordinated Enforcement Framework under Regulation 2016/679 (https://edpb.europa.eu/our-work-tools/our-documents/ovrigt/ 
edpb-document-coordinated-enforcement-framework-under-regulation_en). 

4 EDPB Document on Terms of Reference of the EDPB Support Pool of Experts (https://edpb.europa.eu/our-work-tools/our-documents/other/edpb- 
document-terms-reference-edpb-support-pool-experts_en). 


Pillar III - A fundamental rights approach to new 


_ ~ technologies 


e Reinforcing the application of fundamental data protection principles and individual 
rights and establishing common positions and guidance, especially in the context of new 
technologies 


Guidelines on examples regarding Data breach notifi 


Guidelines on Blockchain 
Guidelines on Anonymisation and Pseudonymisation 


Guidelines on the use of facial recognition technology in the area of 
neers law enforcement 
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Guidelines on virtual voice assistants* 


Guidelines on data protection in social media platform interfaces: 
practical recommendations 
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Any additional guidance on legal implications relating to technological 
issues, such as Cloud computing, Artificial intelligence/Machine 
Learning, Digital Identity & Identity Federation, Data Brokers, Internet 
of Things, and payment methods 





e Strengthening cooperation with external stakeholders (ENISA advisory group, ISO liaison, 
Contact point of the Stakeholder Cybersecurity Certification Group, etc.) 


Pillar IV - The global dimension 


e Providing guidance on the use of transfer tools ensuring an essentially equivalent level of 
protection and increasing awareness on their practical implementation and issues relating to 
government access to personal data 


Recommendations on supplementary measures (on measures that 
supplement transfer tools to ensure compliance with the EU level of 
protection of personal data)* 

Opinions on and review of adequacy decisions (UK, Republic of Korea, 
review of Japan decision, any revision of 95/46 adequacy decisions...) 
PNR agreements (UK, Canada, Japan...) 

Guidelines on codes of conduct as a tool for international transfers 
Guidelines on certification as a tool for international transfers 
Guidelines on Article 37 LED (transfers subject to appropriate 
safeguards) 

Guidance on Article 48 GDPR (transfers or disclosures not authorised 
by Union law) 

Territorial scope (Article 3) of the GDPR and its interplay with Chapter 
V 


Statement on the proposed second additional protocol to the Council 


of Europe Convention on Cybercrime 


International agreements involving transfers, including FATCA and 
OECD CRS 
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Approval procedure for Article 46.3(a) ad-hoc contractual clauses and 
Article 46.2(d) GDPR standard data protection clauses 





e Engaging with the international community to promote EU data protection as a global 
model and to ensure effective protection of personal data beyond EU borders 


e Facilitating the engagement between EDPB members and the supervisory authorities of 
third countries with a focus on cooperation in enforcement cases involving controllers/ 
processors located outside the EEA 


Annex - Documents already adopted in early 2021 


Statement on new draft provisions of the second additional protocol to the Council of Europe 
Convention on Cybercrime (Budapest Convention) 


Recommendations on the adequacy referential under the Law Enforcement Directive 


EDPB Document on the response to the request from the European Commission for 
clarifications on the consistent application of the GDPR, focusing on health research 


EDPB-EDPS Joint Opinion on Standard contractual clauses between controllers and processors 


EDPB-EDPS Joint Opinion on Standard contractual clauses for the transfer of personal data 
to third countries 


Guidelines on relevant and reasoned objection under Regulation 2016/679 


Guidelines on processing personal data in the context of connected vehicles and mobility 
related applications 


EDPB-EDPS Joint Opinion on Standard contractual clauses for the transfer of personal data 
to third countries 


Guidelines on relevant and reasoned objection under Regulation 2016/679 
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Guidelines on processing personal data in the context of connected vehicles and mobility 
related applications 


